behaviour for bsdauth is maintained by checking authctxt->valid in the
bsdauth driver. Note that any third-party kbdint drivers will now need
to be able to handle responses for invalid logins. ok markus@
+ - djm@cvs.openbsd.org 2004/12/22 02:13:19
+ [cipher-ctr.c cipher.c]
+ remove fallback AES support for old OpenSSL, as OpenBSD has had it for
+ many years now; ok deraadt@
+ (Id sync only: Portable will continue to support older OpenSSLs)
- (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
existence via keyboard-interactive/pam, in conjunction with previous
auth2-chall.c change; with Colin Watson and djm.
}
}
+/* Check ssh internal flags in addition to PAM */
+
+static int
+sshpam_login_allowed(Authctxt *ctxt)
+{
+ if (ctxt->valid && (ctxt->pw->pw_uid != 0 ||
+ options.permit_root_login == PERMIT_YES))
+ return 1;
+ return 0;
+}
+
/* Import regular and PAM environment from subprocess */
static void
import_environments(Buffer *b)
**prompts = NULL;
}
if (type == PAM_SUCCESS) {
- if (!sshpam_authctxt->valid ||
- (sshpam_authctxt->pw->pw_uid == 0 &&
- options.permit_root_login != PERMIT_YES))
+ if (!sshpam_login_allowed(sshpam_authctxt))
fatal("Internal error: PAM auth "
"succeeded when it should have "
"failed");
return (-1);
}
buffer_init(&buffer);
- if (sshpam_authctxt->valid &&
- (sshpam_authctxt->pw->pw_uid != 0 ||
- options.permit_root_login == PERMIT_YES))
+ if (sshpam_login_allowed(sshpam_authctxt))
buffer_put_cstring(&buffer, *resp);
else
buffer_put_cstring(&buffer, badpw);
* by PermitRootLogin, use an invalid password to prevent leaking
* information via timing (eg if the PAM config has a delay on fail).
*/
- if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
- options.permit_root_login != PERMIT_YES))
+ if (!sshpam_login_allowed(authctxt))
sshpam_password = badpw;
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
sshpam_err = pam_authenticate(sshpam_handle, flags);
sshpam_password = NULL;
- if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
+ if (sshpam_err == PAM_SUCCESS && sshpam_login_allowed(authctxt)) {
debug("PAM: password authentication accepted for %.100s",
authctxt->user);
return 1;